AlphornAlphornBeta

Data Processing Agreement

Last updated: April 9, 2026

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the General Terms and Conditions between Armin Reiter, sole proprietor, Vienna, Austria ("Processor", "Alphorn"; full contact details in the Imprint) and the entity or person using the Alphorn hosted service ("Controller", "Customer").

This DPA applies to the processing of personal data by the Processor on behalf of the Controller through the Alphorn hosted service at app.alphorn.dev. It does not apply to self-hosted installations, where the Customer is solely responsible for data processing.

2. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Sub-processor" have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

"Customer Data" means any personal data contained in webhook payloads, notification messages, delivery logs, and channel configurations submitted to the Service by the Controller.

3. Subject Matter and Duration

The Processor processes Customer Data for the purpose of receiving webhook payloads, applying filtering rules, and routing notification messages to the Controller's configured channels. Processing continues for the duration of the service agreement and as specified in Section 11 (Data Deletion).

4. Nature and Purpose of Processing

The Processor performs the following processing activities:

  • Receiving and temporarily storing webhook payloads (which may contain personal data determined by the Controller)
  • Evaluating filtering rules against message content to determine routing
  • Transmitting notification messages to third-party channel services as configured by the Controller
  • Storing delivery logs and message metadata for retry and debugging purposes

The categories of data subjects and types of personal data are determined by the Controller based on the content of webhook payloads sent to the Service.

5. Controller Obligations

The Controller shall:

  • Ensure it has a lawful basis for processing personal data through the Service
  • Determine the content of webhook payloads and ensure they do not contain personal data beyond what is necessary
  • Inform data subjects about the processing as required by Articles 13 and 14 GDPR
  • Respond to data subject requests and instruct the Processor accordingly

6. Processor Obligations

The Processor shall:

  • Process Customer Data only on documented instructions from the Controller, unless required by EU or Member State law
  • Ensure that persons authorized to process Customer Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures as described in Section 8
  • Assist the Controller in responding to data subject requests, to the extent technically feasible
  • Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing
  • Make available all information necessary to demonstrate compliance with Article 28 GDPR

7. Sub-processors

The Controller grants the Processor general authorization to engage sub-processors. The Processor shall maintain a list of current sub-processors and notify the Controller at least 14 days before adding or replacing a sub-processor.

The Controller may object to a new sub-processor within 14 days of notification. If the objection is not resolved, the Controller may terminate the service agreement. The Processor shall impose the same data protection obligations on sub-processors as set out in this DPA.

Current sub-processors:

  • Infrastructure provider — hosting of application servers and databases within the European Union
  • Paddle.com Market Limited — payment processing and billing (merchant of record)

Third-party channel services (e.g. Slack, Discord, Telegram) configured by the Controller are not sub-processors. The Controller is responsible for its relationship with these services.

8. Security Measures

The Processor implements the following technical and organizational measures to protect Customer Data:

  • Encryption in transit (TLS) for all connections to and from the Service
  • Encryption at rest for database storage
  • Access controls limiting database and infrastructure access to authorized personnel
  • Hashed passwords and secure session management
  • Regular security updates and patching of infrastructure components
  • Open-source codebase enabling independent security audits by the Controller

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification shall include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address and mitigate the breach

10. Audits

The Controller may audit the Processor's compliance with this DPA once per calendar year, with at least 30 days written notice. Audits shall be conducted during normal business hours, at the Controller's expense, and shall not unreasonably interfere with the Processor's operations.

The Controller may engage a qualified third-party auditor, subject to reasonable confidentiality obligations. The Processor shall cooperate with the audit and provide access to relevant documentation and systems.

11. Data Deletion

Notification data (messages, delivery logs) is automatically deleted after the retention period defined by the Controller's plan (7, 30, or 90 days).

Upon termination of the service agreement, the Processor shall delete all Customer Data within 60 days, unless retention is required by EU or Member State law. The Controller may request an export of their data before termination by contacting hello@alphorn.dev.

12. International Transfers

Customer Data is processed and stored within the European Union. The Processor shall not transfer Customer Data outside the EU/EEA without the Controller's prior written consent and appropriate safeguards under Chapter V GDPR.

When the Controller configures notification channels that transmit data to services outside the EU/EEA, the Controller is responsible for ensuring appropriate legal basis for such transfers.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the General Terms and Conditions. The Controller shall indemnify the Processor against claims arising from the Controller's breach of its obligations under data protection law.

14. Governing Law

This DPA is governed by Austrian law. For disputes, the provisions of the General Terms and Conditions regarding jurisdiction apply.

15. Contact

For questions regarding this DPA or to exercise data protection rights, contact us at hello@alphorn.dev.